Key

The name of the connection as it will appear to users at our authentication point. This should be a form of your organisation name so users can find it in a list when they need to.

Directory type

Used to set default values where Active Directory is different from the underlying LDAP standard.

Server host

The address where OpenAthens can connect to your server. This address will need to be accessible by our services from outside of your network.

Server port

The port that your server uses for LDAP traffic. You can specify a non-standard port if necessary.

Connection type

The form of security used. StartTLS is the industry standard but ldaps:// can be chosen for older systems.

Admin bind DN

The full distinguished name of a user that can connect and view all the users you need to authenticate, e.g:

cn=openathens,cn=users,dn=ad,dn=yourdomain,dn=net

Bind password

The password for the user specified in the admin bind

Base DN

The distinguished name of your directory, e.g:

dn=ad,dn=yourdomain,dn=net

Filter

Allows you to specify the username field, plus limitations where necessary. The field you identify as =${uid} will be used as the username in login dialogs

Unique user attribute

This should be an attribute that will always be unique to that user and it is used in the generation of targetedIDs. It defaults in AD to 'objectGUID'.

TargetedID seed value

The seed used to generate a targetedID. This should only be used when you are migrating from something like OpenAthens LA to MD and is provided so that your users can have the same targetedID value when they change systems.

Leaving it blank is usually the correct thing to do. Modifying this after you go live will change the identifiers seen by service providers for all your users and is not usually recommended.

Status

Live & visible = production ready. Users will be able to access this login at the authentication point. It will become the default login whenever your organisation is known (e.g. for any resources where access involves your entityID).

Live and not visible = testing mode. Will work with the supplied test URL, but the authentication point will only use OpenAthens accounts.